There are many computing environments having multiple software applications that need to interact with each other and with other software such as libraries and runtime environments. Firewalls or the like are one technique to protect the applications or other software. One type of firewall is to execute each application (or bundle of applications) in its own execution context. For example, some computing environments support isolation of application execution contexts.
Isolation of application execution contexts means that an application cannot access objects or data owned by an application in another context unless the other application explicitly provides an interface for access. Context isolation may be enforced by a firewall. For example, access to an instance of an object is only allowed to applications executing in the same context the object instance was created in (the owning context). Applications can provide interfaces for other applications to access in the form of shareable interface objects (SIO), which bypass the firewalls. In addition to object ownership control, when an object is accessed, other language access controls may be enforced.
Context isolation allows for coarse-grained access control to protected data or objects. For example, the protected object or data could be associated with a platform such as a smart card. A smart card is a card that may resemble a credit card and contains an embedded integrated circuit (IC). Smart cards are highly secure by design, and tampering with one results in the destruction of the information it contains. Smart cards typically have microprocessors and memory for secure processing and storage. There also exists technology similar to smart cards, but in form factors other than smart cards. Examples of such related technology are smart buttons and USB tokens. These other technologies may be used for similar functions as smart cards. USB tokens can be plugged directly into the USB port of a PC. Smart buttons and USB tokes provide programming capabilities similar to smart cards and have tamper-resistance properties.
Thus, access to platform functionalities or functionalities or services provided by another application is granted solely based on the context of the calling application. For example, access to Runtime Environment (RE) functionalities or functionalities or services provided by another application is granted solely based on the context of the calling application. However, context isolation does not allow for fine-grained platform protection or application function protection enforced by the platform.
Under limited circumstances, finer grain control of security may be possible. For example, finer grain control may be possible by checking an application's identification. As a particular example, a server application can programmatically check if a smart card application client is one the server allows. However, this check is limited in that is typically only based on the identification of the application client.
Policy-based access control allows for protecting functionalities provided by the Runtime Environment (RE), an application or a library. The protected functionality may be a block of code that implements the protected functionality, a protected object in the sense of object-oriented programming, or protected data.
The approaches described in this section could be pursued, but are not necessarily approaches that have been previously conceived or pursued. Therefore, unless otherwise indicated herein, the approaches described in this section are not prior art to the claims in this application and are not admitted to be prior art by inclusion in this section.